Run a stolen EHR badge tabletop exercise by assembling the people who manage clinic operations, EHR access, IT support, privacy, and physical security; presenting a realistic lost-credential scenario; and requiring them to make timed decisions about identity verification, account disablement, session termination, patient care continuity, and evidence preservation. The exercise should test whether your procedures satisfy HIPAA Security Rule § 164.312(d), which requires verification that a person or entity seeking access to ePHI is the one claimed. End with a documented hot wash that assigns owners and dates for every corrective action.
What should a stolen EHR badge tabletop exercise prove?
Your exercise should prove that the practice can quickly distinguish a missing physical badge from a potentially compromised identity credential. A badge used for door access, workstation sign-in, single sign-on, medication cabinets, or EHR proximity authentication can create a patient privacy and safety issue if it remains active after theft.
- Identity verification works: Staff know how to verify an employee’s identity before issuing a temporary badge, resetting credentials, or restoring access.
- Access can be contained: The practice can disable the badge, revoke linked access, terminate active sessions, and document the time each action occurred.
- Patient care continues safely: Front-desk, clinical, and billing staff have a workable downtime or alternate-authentication process without sharing passwords or using another employee’s credentials.
- Escalation is clear: The practice manager knows when to notify IT, the privacy officer, the security vendor, EHR support, leadership, and, if appropriate, law enforcement.
- Evidence is preserved: Relevant badge logs, EHR audit logs, camera footage, help-desk tickets, and communications are retained for review.
- Risk assessment can begin: The privacy lead receives enough reliable facts to determine whether unauthorized access to PHI occurred and whether the incident requires further breach analysis.
Do not use the exercise to judge whether a receptionist remembered every policy word-for-word. Use it to expose operational gaps: unclear after-hours contacts, delayed badge deactivation, broad shared access, incomplete EHR audit logging, or an unsafe workaround that staff may use when a clinic is busy.
What does a realistic stolen-badge scenario narrative look like?
Riverview Urgent Care operates six clinics with approximately 110 employees, including physicians, nurse practitioners, medical assistants, reception staff, billers, and a small centralized IT team. Each clinic uses HID proximity badges to enter staff-only areas and release print jobs. Certain clinical workstations use Imprivata OneSign badge tap for single sign-on into Epic Hyperdrive, while other systems require a username, password, and Duo multifactor authentication. The organization’s privacy officer is also the compliance manager, and its practice manager on duty coordinates clinic operations when an incident occurs.
It is 8:10 a.m. on a Monday at Riverview’s busiest location. The waiting room is full after a weekend respiratory illness surge. Maria, a medical assistant scheduled to open the clinic, tells the charge nurse that her purse was stolen from her car overnight. Her employee badge, driver’s license, and a paper note containing a phone number were in the purse. Maria says the badge is normally used to enter the rear staff door, access the medication-room corridor, and tap into shared clinical workstations. She is unsure whether the badge was in the purse when she last used it on Friday, but she believes it was.
The charge nurse calls the practice manager. The manager asks Maria to use the employee portal on her phone to report the loss, but Maria cannot remember her portal password and says her personal phone battery is nearly depleted. Meanwhile, a front-desk employee reports that the rear staff door was opened at 7:42 a.m. using Maria’s badge. The door camera shows a person wearing a hood entering the hallway, but the image is not clear enough for immediate identification. The badge reader log does not show whether that person entered an exam room or used a workstation.
At 8:18 a.m., the IT service desk receives a Microsoft Entra ID sign-in alert for Maria’s account from a workstation at the clinic. The sign-in itself is not unusual because Maria normally works there. However, the EHR audit report shows that the account opened three patient charts assigned to a different provider team, including one pediatric patient and one employee-health visit. The account has not placed orders, changed demographics, or printed records. Because Imprivata enables fast user switching, the workstation may still have an active session even after the badge is disabled.
Participants must decide what happens next. They need to preserve the clinic’s ability to room patients while ensuring no one receives a temporary badge or restored account access merely because they claim to be Maria. They also need to decide who can disable the physical badge, whether to terminate every active EHR session, how to capture logs before retention periods or system rotation affect them, and how to communicate with staff without disclosing unnecessary details about the suspected theft.
Which injects should occur at 15, 30, and 45 minutes?
Deliver the injects verbally or in writing after participants have discussed the initial facts. Do not rescue the group with the answer; ask what they would do, who would do it, and what evidence would show the action was completed.
| Exercise time | Inject | Decision the group must make | Evidence to request |
|---|---|---|---|
| 15 minutes | The security vendor confirms Maria’s badge was disabled at 8:22 a.m., but the rear-door reader accepted it again at 8:25 a.m. because the clinic controller had not synchronized with the central access-control server. | Determine whether the rear entrance must be staffed or locked, who contacts the vendor, and whether other clinic badges are affected. | HID access-control disablement record, controller synchronization status, door-event export, and vendor ticket number. |
| 30 minutes | A receptionist says someone calling as Maria asked for a temporary badge and stated that the manager had already approved it. The receptionist did not issue a badge but wants to know what verification is required. | Apply the temporary-credential identity-proofing procedure without relying on voice recognition, a familiar story, or a caller ID number. | Approved identity-verification steps, supervisor approval record, callback method, and temporary-badge issuance log. |
| 45 minutes | The privacy officer receives an Epic audit report showing one chart was opened after the badge was reported stolen, and an attempted print job was sent to the clinic’s release queue. No printed pages were released. | Decide whether containment is complete, what additional records must be preserved, and what facts are needed for the HIPAA incident and breach-risk review. | Epic access audit log, Imprivata session report, print-release log, camera-footage preservation request, and incident timeline. |
How do you facilitate the credential-loss exercise effectively?
Schedule 60 minutes for the discussion and 20 minutes for the hot wash. Invite the practice manager, charge nurse or clinical lead, front-desk lead, IT service-desk representative, privacy officer, security or facilities contact, and an EHR administrator. If the practice outsources IT or building access control, include the vendor relationship owner so the discussion reflects actual support hours and escalation paths.
Start by establishing two rules: participants should describe current practice rather than the policy they wish existed, and the facilitator may ask for proof of an action rather than accepting “IT would handle it” as an answer. A useful question is, “What is the exact call, ticket, log, or screen that confirms this occurred?”
What questions should the facilitator ask?
- How does the first person receiving the report verify that the reporter is the actual employee before changing account or badge status?
- Who has authority to disable a physical badge, suspend EHR access, revoke active single sign-on sessions, and issue a replacement credential?
- What is the target time from report of theft to badge disablement, and how is that time measured?
- Can a disabled badge still unlock a door during controller synchronization delays or offline operation?
- Does disabling the badge also end active Imprivata, Epic, VPN, Microsoft 365, or other ePHI-related sessions?
- What safe workflow allows the employee to work, if appropriate, while identity is re-established and replacement access is issued?
- How do staff avoid shared passwords, borrowed badges, generic workstation accounts, or “just this once” chart access?
- Which logs show whether PHI was viewed, printed, exported, altered, or sent outside the organization?
- Who owns the HIPAA incident record, and who decides whether a formal breach risk assessment is required?
For a strong authentication-focused drill, ask participants to identify their “proof of identity” standard for a replacement badge. For example, Riverview may require in-person presentation of government-issued identification to a manager who compares it with the HR record, followed by confirmation from HR or the employee’s supervisor. If the employee cannot appear in person, the practice should use a documented exception process with stronger verification, not a casual phone approval.
What belongs in the hot-wash debrief template?
Conduct the hot wash immediately after the exercise, while participants can still identify delays, assumptions, and missing contacts. Record facts separately from opinions. A finding such as “no one knew whether badge disablement terminates active SSO sessions” is more useful than “communication needs improvement.”
| Finding | Risk or control gap | Corrective action | Owner | Due date |
|---|---|---|---|---|
| Badge disablement required manual controller synchronization. | A stolen credential could remain usable at an offline door after central deactivation. | Configure an alert for unsynchronized controllers and create a staffed-entry procedure when synchronization exceeds 10 minutes. | Facilities manager | August 15, 2026 |
| Staff were uncertain whether Imprivata sessions remain active after badge deactivation. | Unauthorized users may access an already-open ePHI session. | Test session-revocation behavior and add the approved session-termination step to the lost-credential runbook. | EHR administrator | August 1, 2026 |
| Front desk lacked a documented temporary-badge identity-verification script. | An impersonator could obtain physical or logical access by phone. | Create a two-person verification workflow and train reception and charge-nurse staff. | Practice manager | August 22, 2026 |
| Print-release logs were not included in the incident checklist. | The organization may overlook attempted disclosure of PHI through printing. | Add print-server and release-queue review to the privacy incident evidence checklist. | Privacy officer | August 8, 2026 |
Within five business days, distribute the finalized timeline, findings, and corrective-action list to participants and leadership. Retest the highest-risk gap after remediation, especially any gap affecting the verification procedures required by HIPAA § 164.312(d).
Next step: Put a 60-minute badge-theft exercise on your next clinic leadership meeting agenda and bring your actual badge-disablement, EHR-session, and temporary-access procedures to the table.